1. Risk Analysis in Information Technology Projects Tennessee Summit ‘09 October 20, 2009 Thomas Danford Chief Information Officer Tennessee Board of Regents

5. Risk Analysis vs. Risk Management (Risk analysis is broadly defined to include risk assessment, risk categorization, risk communication, risk management, and policy relating to risk. In evaluating large scale IT projects they are typically done independently) What is Risk Analysis? Risk analysis is the systematic study of uncertainties and risks that could be encountered in business, engineering, public policy, and IT (as well as many other areas). What Is Risk Management? Active process of assessing, communicating and managing the risks facing an organization to ensure that an organization meets its objectives.

6. Risk Analysis & Management Process Project’s Strategic Objectives Risk Analysis Risk Reporting Threats and Opportunities Decision Risk Management Residual Risk Reporting Monitoring Risk Identification Qualitative Risk Estimation Quantitative Risk Evaluation Analysis Management

7. Roles in Risk Analysis/Management (In evaluating large scale IT projects risk analysis is typically part of the project evaluation process) Risk Analysts – identify risks faced, determine how and when they arise, and estimate the severity of impact of adverse outcomes. Risk Managers – Mitigate or hedge identified risks.

9. Methodologies not easily adapted to IT Project Risk Analysis Risk Simulation Models – Useful in situations with "flows" of materials or parts, people, etc. with complex interrelationship through a system with multiple steps (logistics, manufacturing, budgeting) Monte Carlo Analysis – Useful for modeling where there is such significant uncertainty in many inputs that randomizing variables is viable for analysis (economics, oil production, sales)

10. Qualitative & Quantitative Risk Analysis Qualitative Risk Analysis – Used to identify potential risks, as well as assets and resources which are vulnerable to these risks. Includes both internally and externally driven risk elements Quantitative Risk Analysis – Provides arithmetic assessment of the probability and impact of the identified risks. Quantitative risk analysis is also used to create overall risk scores for the risk elements and project alternatives.

11. Qualitative Risk Elements Financial Risks Cost of Ownership Project Scope Cost Benefit Complexity Provisioning Change Management Technology Risks Contracts Governance Communication Environment Management Risks Strategic Risks Competition Requirements Industry Changes Customer Demand Life Cycle Integration State Appropriations Products & Services Recruitment Re-skilling Politics Technology Advances Maintenance & Upgrades Many risk elements have both external and internal drivers. Hence, those elements overlap.

12. Ishikawa’s “Fishbone” Technique

13. Quantifying Risk Impact on Project Likelihood Low Medium High (10) (50) (100) High (1.0) Low Medium High 10 X 1.0 = 10 50 X 1.0 = 50 100 X 1.0 = 100 Medium (0.5) Low Medium Medium 10 X 0.5 = 5 50 X 0.5 = 25 100 X 0.5 = 50 Low (0.1) Low Low Low 10 X 0.1 = 1 50 X 0.1 = 5 100 X 0.1 = 10

15. Comparative Risk Analysis

16. Comparative Risk Analysis

17. Risk, Cost, & Schedule

18. Risk Analysis Explicitly Addresses: Heuristics – Tendency of people to use "rules of thumb", intuition, educated guesses or even common sense, which doesn't serve very well in complex IT, business, and policy decisions. Cognitive Bias – Tendency to over-weight the most recent adverse event and projecting current good or bad outcomes too far into the future. Optimism Bias – The demonstrated systematic tendency for people to be overly optimistic about the outcome of planned actions. Fear, Uncertainty, and Doubt (FUD) – Strategy to influence decision making by disseminating negative (dis)information designed to undermine the credibility of a project.